NDAA and Cybersecurity Redux -- CORRECTION

Paul Rosenzweig
Wednesday, December 19, 2012, 12:25 PM
As Bobby has already noted the conference report on the NDAA was filed last night.  Some readers may recall that I was concerned about section 936 of the Senate version of the bill -- a provision that requires Defense contractors to report cyber breaches without affording them liability protection and without allowing DoD to share the threat or vulnerability information with other parts of the Government.  As I said at the time, it was the worst of both worlds -- mandatory reporting with

Published by The Lawfare Institute
in Cooperation With
Brookings

As Bobby has already noted the conference report on the NDAA was filed last night.  Some readers may recall that I was concerned about section 936 of the Senate version of the bill -- a provision that requires Defense contractors to report cyber breaches without affording them liability protection and without allowing DoD to share the threat or vulnerability information with other parts of the Government.  As I said at the time, it was the worst of both worlds -- mandatory reporting without information sharing. Earlier today, I wrote that "it appears that Section 936 was removed from the bill in conference."  Sadly, it wasn't -- it was just renumbered as new section 941, where it resides in all its glory, soon to become law.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare